Phishing emails are very common these days. Below is a common phishing email from a local bank. Keep in mind that the same technique is used with most banks these days. Spelling and grammatical mistakes usually give them away (although this example is pretty good), and read the end of this article for the best ways to tell a phishing email from the real thing.
An email arrives with a topic “Verify Your Phone Number“. Emails asking people to verify something can be eye catching, and add a sense of urgency. Below are the contents of the email:
St.George Bank Limited is constantly working to improve the account security of our customers. In order, to ensure the integrity and security of our online banking system, we periodically review accounts. We were unable to contact you by phone during the last check, so please verify the information at your account file and make sure it is right.
Please, verify your account information by following the link.
Click here for verification: https://ibank.stgeorge.com.au/verify/
The next verification will be done soon, invalid account information will result in your account being placed to restricted status.
St.George Bank Limited
Some things you should keep in mind:
- Banks shouldn’t be trying to contact you by email (although sadly some still do)
- Banks rarely need to verify anything
- The links in the email are false
What would happen if you clicked on the links provided in the email? They look geuine enough.
In most email clients when you put the mouse pointer over the link and wait a second, you’ll see the real link. That’s right, the way email works is someone can display a link that looks like a bank site’s address but in fact it can go somewhere completely different. Maybe the technology behind emails should be changed to make this impossible.
In this case the links point to a site called stgeorgeverify dot com. Again this might fool some people because it has the bank’s name in the address, but it’s not the bank’s address. It’s a phishing site designed to let customers type in their bank details so that scammers can sell the information on the black market (and eventually so that money can be stolen from bank accounts).
There’s very little regulation in domain names (web addresses). It’s easy for someone to register a domain name that looks like a bank’s site. Even if it has one additional or different letter it’s enough for anyone to register. And when someone registers a new domain name they can make it do whatever they like. Technically it’s a new site (even though the name looks similar to a legitimate site).
So when you receive emails from important organisations, such as from your bank, don’t ever click on the links. Go to the bank’s web site by typing its address into a web browser. Because the links in emails can be misleading.
For further reading see our article on how domain names work, and another detailed example of phishing.